Retail Payments Risk Forum
Font Size: A A A

Portals and Rails

June 16, 2014

Banking on the Financial Institutions as Gatekeepers

With all the changes and new participants in the payment industry, financial institutions remain the participants in the best position to know their customers. They still play a central role in transactions, so laws, regulations, and rules view them as gatekeepers, best able to protect consumers from unauthorized payments and fraudulent business practices. This gatekeeper role has never been simple, but the increase in the number and type of businesses conducting transactions over the internet and mobile devices has added to its complexity and difficulty. Complicating the gatekeeper role further is the increasing number of intermediaries involved in the payments stream.

Over the years, regulators have issued guidance to institutions highlighting issues related to high-risk businesses and service providers. In the fourth quarter of 2013, both the Office of the Comptroller of the Currency and the Federal Reserve Board issued guidance on third-party risk management for financial institutions. The new guidance highlights the growing importance of managing relationships with payment participants and makes it clear that institutions have to focus on managing customer relationships, which starts at onboarding.

Regulatory pressure is one approach to keeping the payments system safe, and so is the pressure that law enforcement agencies put on financial institutions. A recent example includes the crackdown of the New York Department of Financial Services on unlawful payday lending practices.

Payments system rules are also effective in keeping financial institutions focused on indicators of the fraudulent use of a payment type. For instance, NACHA Operating Rules include a provision that says an institution is out of compliance if its businesses have a return rate for unauthorized transactions over 1 percent. (A previous post addressed proposed enhancements to the NACHA Operating Rules to address additional indicators of fraud.)

An even stronger type of pressure exerted on financial institutions is when an agency bans a payment type entirely or restricts its usage. For instance, the Federal Trade Commission issued a proposal last year to ban the use of remotely created checks by telemarketers. If a payment type is banned, the financial institution's role is to enforce the ban with its business clients.

The emphasis on the financial institution's gatekeeper role underscores the continued importance of protecting consumers from fraudulent payment practices. It also highlights the fact that this role is not an easy one and brings with it certain risks and costs.

Photo of Deborah Shaw

June 16, 2014 in banks and banking, regulations, risk management | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a73dd9fb1b970d

Listed below are links to blogs that reference Banking on the Financial Institutions as Gatekeepers:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 19, 2014

Choking on the Cost of Risk Management

In March 2013, the Department of Justice (DOJ), joined by the Federal Deposit Insurance Corporation (FDIC) and the Consumer Financial Protection Bureau (CFPB), quietly launched the program “Operation Choke Point.” The program’s objective is to cut off fraudsters’ access to consumer bank accounts by restricting—or choking off—their access to the banking system. Normally the fraudsters would be the only ones complaining about officials trying to shut down their business, but this program is also creating new risk management challenges for the banking industry.

While critics of the program readily admit that criminal activities should be fully investigated and prosecuted, they contend that the program has imposed a wider, “chilling,” effect on financial institutions and their third-party payment processors. A number of financial institutions have said that the operational, compliance, and risk costs associated with the increased scrutiny outweigh the benefits of such high-risk but legal business account relationships and can result in their termination.

The agencies defend their actions, stating that the “know-your-customer” and “know-your customer’s customers” requirements have been in place for some time. They say they are targeting only processors and financial institutions that are blatantly exchanging these requirements for due diligence and compliance with the Bank Secrecy Act (BSA) for a sizable fee revenue opportunity.

By September 2013, the DOJ had issued 50 subpoenas to financial institutions and their processors citing the BSA’s requirements for a financial institution to monitor the activities of its customers and its customer’s customers for suspicious activity. In its first enforcement action of the program, in early 2014, the DOJ entered into an agreement with a holding company of a North Carolina community bank for $1.2 million in civil penalties and with certain restrictions with regards to its future processor relationships. The DOJ alleged that the holding company’s management knowingly ignored numerous warning signs that some of its processing customers had clients engaged in illegal business practices, including internet-based payday lending, gambling, and even Ponzi schemes, all to generate large amounts of account service charges and fees. A U.S. District Court judge approved the agreement on April 25 this year. However, the bank didn’t admit to anything in the DOJ complaint nor to any liability.

To help financial institutions better deal with the risk management requirements that Operation Choke Point highlights, a number of associations have developed materials or issued guidelines. An earlier Portals and Rails post discussed the reminders from NACHA on the know-your-customer’s-customer rules and the proposed rules about return item limits that could potentially signal fraudulent or deceptive practices. The Electronic Transactions Association (ETA) has recently published a best-practices guide for processor relationship onboarding and continued oversight. This document, “Guidelines on Merchant and ISO Underwriting and Risk Monitoring,” is available to ETA members only, but the organization has given us permission to make the guide’s executive summary available.

Portals and Rails is interested in your thoughts on Operation Choke Point and the response by some banks, and we pose this question: Are banks properly pricing their services to the business that requires such intense risk management measures?

Photo of Deborah ShawBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


May 19, 2014 in banks and banking, law enforcement, regulations, risk management | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a73dc5354c970d

Listed below are links to blogs that reference Choking on the Cost of Risk Management:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

March 31, 2014

Ignore Millennials at Your Own Risk

At a recent conference primarily for credit unions and small banks, I participated in an interesting discussion about the future role of banks and legacy payments for person-to-person (P2P) payments. Few of the attendants offered a P2P solution as part of their online or mobile banking platform and those that did claimed the product was seldom used, if at all. There was consensus that a majority of their customers just aren't interested in this product.

I recently wrote on this topic, hailing the check as an efficient form of P2P payment thanks in large part to mobile remote deposit capture. But perhaps my experience of writing a check to a 20-something babysitter was more of an anomaly than the norm. A recent survey that GOBanking Rates conducted reveals that nearly 40 percent of consumer banking customers never write checks and 61 percent of banking customers between the ages of 18 and 24 claim to never write checks. Another survey of 10,000 millennials (those born from 1981 to 2000) reveals that the banking industry is at the highest risk of disruption. Seventy percent of the respondents believe that the way we pay for things in five years will be totally different. One in three of the respondents believe they will not need a bank.

So what can financial institutions take away from my experience and these surveys? Two things stand out to me. First, there are still banking customers (young ones included) that continue to write checks or prefer to receive checks over alternatives from banks and nonbanks. Though I fully expect check usage to continue to decline, the complete demise of the check is a fantasy. Second, and most important, financial institutions that choose not to evolve in the payments space risk disintermediation or even becoming irrelevant. While their customers today may not want specific products or payment capabilities, the reality is that the makeup of a majority of these customers today won't be the same as in the future. A generation of potentially new customers has a very different view on payments and banking. Ignoring these future customers will lead to harsh realities for financial institutions. What is your institution doing in terms of payments to attract and keep millennials and avoid becoming a dinosaur?

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 31, 2014 in banks and banking, emerging payments, innovation | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a3fce35a78970b

Listed below are links to blogs that reference Ignore Millennials at Your Own Risk:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

March 24, 2014

The Fraudsters Are Omni-Channel--and Omnipresent

"Omni-channel banking" is an in-vogue term for what bankers have known for quite some time: customers can access multiple channels to conduct their banking, have a preference for one over the others, and that preference to a large degree reflects their ages. Despite their primary preference, these consumers are likely to use multiple delivery channels, and when they do, they want a seamless experience when moving from one to another. The banking industry has struggled to successfully implement such an experience. Achieving this seamlessness is difficult because the industry has historically had a vertical organizational structure, in which each distribution channel has its own strategic plan and sometimes even an independent technology, which leads to differences among the channels. For example, if a customer were to check his or her account balance from an ATM or automated call center, the balance can be different from the balance they would get from a teller inside a branch.

Unfortunately, criminals have also adopted omni-channel usage, and at an even faster pace—they are not concerned with having a transparent or seamless experience. In fact, they seem to be more successful when there are disparate systems because that makes the detection of fraudulent activity more difficult. For example, we have seen criminal attacks move from in-branch armed robberies to ATM cash-out cyberheists. Why risk a physical confrontation and mandatory jail sentence when you can work anonymously and actually get a greater haul? We are also aware of cross-channel fraud activity within the electronic channels. In one case, e-mail phishing attacks led to a customer unwittingly disclosing online banking credentials (user ID and password) and then fraudulent payments or wires being initiated through the online channel. In a recent post, we talked about how criminals often target call centers. They use social engineering techniques to gain sufficient account information to fraudulently access accounts through a variety of channels.

A lesson from these incidents is that financial institutions must take a holistic view of fraudulent activity and not just a channel-specific view. For major losses, they have to perform forensics to determine the channel where the fraudulent effort began not just the channel where the actual fraudulent transaction occurred. Only after such investigative work can the financial institution identify the weak points in its system and processes and take the necessary steps to fortify them to provide a higher level of protection against future attacks.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 24, 2014 in banks and banking, crime, cybercrime, financial services | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a5118d52d4970c

Listed below are links to blogs that reference The Fraudsters Are Omni-Channel--and Omnipresent:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

March 10, 2014

Who Is Responsible for Consumer Security Education?

A theme that consistently appears in our Portals and Rails blogs is the continual need for consumer education when it comes to protecting account access credentials. Financial institutions have generally taken this responsibility seriously, running frequent verbal and print campaigns reminding customers to safeguard their payment cards, monitor account activity frequently, and adopt strong password and PIN access practices.

But as payment channels and access devices expand outside the bank-controlled environment, who then becomes responsible for customer education? The representatives of mobile phone carriers and handset manufacturers, for example, are often in sales mode. The last thing they want to do is scare off a potential sale by identifying the potential for fraud with their product or service.

When I recently went to purchase a new mobile phone that was equipped with a number of strong security safeguard options, the sales representative was more interested in selling me high-margin accessories than telling me how to safeguard the phone and its contents. While I understand the motivation of the sales representative, especially if he works under a sales incentive compensation plan, wouldn’t it easy for the carrier or phone manufacturer to provide a brochure promoting safe practices?

Unfortunately for the financial institutions, the stakes are high. For them, the financial impact of fraudulent activity on a customer's account is often a one-two punch. First, various regulations and rules are in place to protect consumers from liability, so the financial institutions generally write off the fraud loss. Second, and perhaps more painful, victims of fraud often move their accounts even though their financial institution is not at fault. The challenge of consumer education by the bankers is becoming more and more difficult as the opportunity for direct contact with the customer lessens with every new payment transaction product or service.

As we've seen before, in the aftermath of recent card transaction and customer data breaches, the negative reputational and financial impact from fraud is felt not just by financial institutions but also by the retailer or company that was breached. Will such events cause these other stakeholders to take a more proactive role and join financial institutions in educating their customers?

Portals and Rails is interested in hearing from you as to how the payments industry might best address customer awareness and education regarding security.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 10, 2014 in banks and banking, consumer fraud, consumer protection, data security, mobile payments | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a51180c012970c

Listed below are links to blogs that reference Who Is Responsible for Consumer Security Education?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 03, 2014

Call Center Phone Fraud: Are You Really Who You Say You Are?

"Have I reached the party to whom I am speaking?" Lily Tomlin would use this line whenever she would play her character Ernestine the telephone operator on the classic TV comedy show "Laugh-In." But to the thousands of financial institutions that operate call centers, the question of whether their customer service representatives are talking to an actual customer is no laughing matter.

In a recent report on call center phone fraud, Pindrop Security cites a number of alarming statistics based on their clients' actual experiences: one in every 2,500 calls to a call center is fraudulent; the average fraud loss per call received is $0.57; and the average potential loss to an account from phone fraud is more than $42,000. It seems that the call center has become an increasingly attractive target for fraudsters.

A call from someone not authorized to access the bank account in question may not directly result in a financial loss on that call. In fact, Pindrop's research indicates that it takes an average of five calls before the fraudster gathers enough information to strike. They use those preliminary calls to gain account or customer information that will help them subsequently to generate a fraudulent transaction, whether it's through the call center or another channel. Some of the calls are from criminals who are simply trying to get account information such as credit and debit card information that they can sell to others. Some of the calls attempts to change account settings such as statement mailing address or call-back phone numbers. With a simple address change, the criminal can gain more information about the accountholder and also keep the victim from being alerted to fraud on their account. Often, a call that results in a direct loss occurs when the fraudster obtains sufficient account credentials to generate a fraudulent wire transfer or ACH transfer from the targeted account.

While these criminals might be looked at as "low-tech hackers" compared to the sophisticated hackers who probe computer systems or worse, the evidence from law enforcement shows that these groups are just as well-organized and sophisticated. They are often based outside the United States, which makes investigations and prosecutions difficult. Sometimes they use technology to change their voice or to show a fake phone number on the bank's caller ID system. The fake phone number helps the fake caller avoid suspicion when the call is coming from outside the customer's area of residence.

To address this growing attack vector, financial institutions are adopting new technology to help them detect potentially fraudulent calls. Voice biometric technology can detect altered voices or even compare the caller's voice to a database to verify the caller's legitimacy. In addition, phone call and device "fingerprinting" gathers enough information from the caller's device to allows the call to be scored, just like a card transaction, on how likely it is to be fraudulent.

It is clear that criminals are attacking all physical and virtual channels of banks, sometimes using information obtained through one channel to carry out fraud in another channel. Portals and Rails believes it is important that you approach your fraud mitigation strategy from a cross-channel perspective. Please let us hear about your challenges and successes with such efforts.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

February 3, 2014 in authentication, banks and banking, consumer protection | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a73d6e311b970d

Listed below are links to blogs that reference Call Center Phone Fraud: Are You Really Who You Say You Are?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

January 21, 2014

Online Payday Lenders: An Illustration of the Importance of Bank Due Diligence

3-legged stool Because of a series of incidents involving illegal payday loans, online payday lenders have been featured in news articles of late. They've also been the focus of increasing enforcement actions to ensure that adequate consumer protection is in place. States are stepping up their enforcement actions against online payday lenders that violate state laws, and federal regulators are stepping up enforcement of federal and state laws. Meanwhile, online lenders and their third-party payment processors are defending their roles in providing this borrowing option to consumers.

The recent uptick in attention on online payday lenders is an impetus for us to stress the importance of banks conducting their due diligence process for any payment processor or business for which they provide payment services. It's useful to look at this due diligence as a three-legged stool, with regulatory compliance, know your customer (KYC), and know your customer's customer (KYCC) all working together to keep the stool upright.

In an August 2013 post, we examined the risks incurred by banks that originate payments for online payday lenders. Much debate has focused on whether online payday lenders—and those who provide services to them—are unfairly targeted by regulators and enforcement agencies. The reality is that businesses that comply with state and federal law are not the reason for increased guidance and enforcement.

When it comes to online payday lending, the law—one leg of the stool—is quite complex. At the state level, laws can significantly differ from state to state. Some states, including Georgia, do not even allow online payday lending. But many online payday lenders operate virtually, and are therefore more likely to operate nationally, which can add to the confusion about complying with all relevant state and federal laws. When conducting their due diligence processes, banks should always consider their customers' ability to operate within the law.

KYC and KYCC are also two very important components of a bank's due diligence process with any customer for which they originate transactions. The better the bank understands the business lines of its originator from the very beginning, and the better they understand it over time by way of continuous monitoring, the greater their chance to quickly identify and address any problems.

Like any business, online payday lenders can use the services of a third-party payment processor. As we explained in a September 2013 post, payment processors are a bank's direct customer in providing payment services to businesses . This adds another layer to the bank's due diligence processes. With this kind of relationship, banks now need to know their customer's customer—in this case, the online payday lender.

Banks should use the recent attention to online payday lenders as a reminder to review and improve their due diligence practices for all their customers. They should make sure that all three legs—KYC, KYCC, and compliance with the law—are in place so that the stool doesn't topple.

What lessons has your bank learned from the recent attention to payday lenders?

Photo of Deborah ShawBy Deborah Shaw, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

January 21, 2014 in banks and banking, consumer protection | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c019b0515c579970d

Listed below are links to blogs that reference Online Payday Lenders: An Illustration of the Importance of Bank Due Diligence :

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

December 16, 2013

Is It the Right Time for Lower ACH Return Rate Thresholds?

Monitoring return rates for automated clearing house (ACH) transactions is an important element of a bank’s risk mitigation program for its business and third-party clients. Recently, NACHA issued a request for comment (RFC) that addresses proposed changes to return rate thresholds included in the NACHA Operating Rules.

The NACHA Operating Rules currently identify a return rate threshold for unauthorized debit entries of 1 percent. The threshold is intended to reduce unauthorized entries transmitted over the ACH network. The NACHA Operating Rules hold an originating depository financial institution (ODFI) that has an originator or third-party sender with an unauthorized return rate over 1 percent subject to ODFI reporting and possible fines if the rate of returns is not reduced in a timely fashion.

According to the RFC, the unauthorized debit return rate declined due to several risk management efforts—including the 1 percent threshold, established in 2008—from 0.06 percent in 2005 to 0.03 percent in 2012. These reduced numbers demonstrate that the monitoring of return rates by banks and other network participants helps to identify issues and leads to fewer problematic transactions.

This RFC proposes three changes to how the NACHA Operating Rules currently address return rate thresholds.

  • A reduction in the return rate threshold for unauthorized debit entries from 1 percent to 0.5 percent.
  • Establishment of a return rate threshold for data quality debit entries (such as invalid account number) of 3 percent.
  • Implementation of an overall debit return rate threshold of 15 percent.

NACHA had issued an RFC in spring 2011 that proposed changes similar to the first two listed items, but ACH participants did not provide sufficient support then and the changes were not implemented. It seems that the time may now be right. The RFC indicates that the environment for this proposal appears to have changed, with ACH participants expressing interest in looking at new thresholds. And the proposal for an overall debit return threshold stresses the need for banks to focus on their overall return rates in addition to specific return reasons.

Regardless of which thresholds are included in the NACHA Operating Rules, banks should monitor for any increase in returns. They should also understand the underlying cause and remedies that their business or processor customers are implementing. A bank focus on return issues is one element of a robust risk management program that helps to ensure the bank’s origination of high-quality payment transactions.

With this proposal on return rate thresholds, is your institution rethinking its internal policies for return rate monitoring?

Photo of Deborah ShawBy Deborah Shaw, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


December 16, 2013 in ACH, banks and banking, regulations | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c019b0317a3ef970d

Listed below are links to blogs that reference Is It the Right Time for Lower ACH Return Rate Thresholds?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

November 25, 2013

Maintaining a Strong Defense with Layered Security

A medieval castle generally had many lines—or layers—of defense to protect itself and its inhabitants from outside attackers. For example, it would have an outer perimeter with a high berm making the passage of horse-drawn weapons difficult. This berm would surround a vast, open space that allowed the enemy no cover. Closer to the castle would be the moat, which enclosed high fortress walls with ramparts that allowed the human defenders to fire down on attackers while still having protective cover. An enemy that successfully breached all layers of security was a strong enemy indeed—or a friend, someone with proper security clearance, who was permitted to pass through.

This multilayered security is highly effective in today's computer age. Financial institutions that haven't done so already should institute such a strong online authentication process. This process would require an individual who needs to access an account to go through multiple layers of authentication according to the risk level associated with the intended transactions. For someone checking an account balance, for example, a user ID and a password may be sufficient. But for someone initiating a wire transfer request for $50,000, more layers of authentication tools are appropriate and in keeping with the 2005 Federal Financial Institutions Examination Council's supplemental guidance for internet banking to implement more robust controls as the risk level of the transaction increases.

Panel members at a recent forum cosponsored by the Secure Remote Payment Council and the Atlanta Fed's Retail Payment Risk Forum provided their assessment of the security tools that can improve online customer authentication. They did this by assigning scores to individuals tools based on a scale of 1 to 10, with 1 being extremely weak and 10 being extremely strong. While members gave pretty low scores to each individual tool, they pointed that a combination of these tools would significantly raise the strength of the authentication process, and presumably the scores of these combinations would be higher.

As the table shows, only one of the tools had an average score above 5.

Output effects from alternative tax reforms

We cannot say it enough: no single authentication method provides a complete solution. A strong customer/transaction authentication program uses a combination of hardware and software security tools to minimize the success of unauthorized account access. The program also incorporates customer education and training and internal policies and procedures to provide a well-rounded defense.

Portals and Rails is interested in how you would score the various tools and how your institution is implementing a multilayered authentication strategy.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

November 25, 2013 in authentication, banks and banking, cybercrime | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c019b01a2f45e970b

Listed below are links to blogs that reference Maintaining a Strong Defense with Layered Security:

Comments

Interesting that Tokens scored that high. With malware bypassing them and the overhead of physical management of the hardware.

But, agree 100%...layered security is only direction to go in.

Posted by: Matthew | November 25, 2013 at 09:24 AM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

September 30, 2013

Securing All the Links in the Chain: Third-Party Payment Processors

Consumers may not know when a payment transaction involves more than the merchant who they buy from and the bank that has the debited account. They have no reason to know that there are often other "links" in the payment processing "chain." One such link is the third-party payment processor (processor).

The processor works between the business and the bank, providing payments services to the business while serving as a connection point to the banking system. The processor facilitates automated clearing house, or ACH, payments; credit, debit, and prepaid card payments; and remotely created check payments.

Banks that have processors as their customers must be careful to minimize the risk associated with adding another link to the payments process. Central to this risk mitigation is for the bank to conduct due diligence, including "know your customer" (KYC)—in this case, the processor—and also "know your customer's customer" (KYCC)—in this case, the businesses on whose behalf the processor is transmitting payments. Regulators, including the Federal Deposit Insurance Corporation and the Office of Comptroller of the Currency, have published and updated guidance emphasizing the essential importance of banks' risk-based management of their processor relationships.

Bank risk mitigation includes taking steps at the time of onboarding new processors as well as on an ongoing basis to monitor for any problems related to changes in those relationships. Recommended practices during onboarding include verifying the legitimacy of the business by visiting the processor's office and reviewing marketing materials and websites. It is essential that the bank understand the business lines that the processor's customers support and be aware of any payments-related concerns. For example, processors should provide the bank information on any law enforcement actions and consumer complaints related to its customers.

A bank's ongoing monitoring should include knowing about changes with either the processor or its business customers. Requiring the processor to inform the bank of new customers or business lines is one way to identify developments that require further study. Banks should also require processors to report any changes in the nature of consumer complaints, particularly if they include claims of unfair and deceptive practices that a business customer may have used. Monitoring for warning signs of potential fraud can be aided by receiving reports from the processor on its return rates and those of its business clients. High return rates for certain reasons, such as unauthorized or insufficient funds, should be investigated for the underlying cause and then addressed with the processor.

Furthermore, banks are advised to keep their board members aware of processor relationships by providing periodic reporting on transaction volumes, return rates, and types of businesses served.

Banks that focus on securing the processor link in payments transactions will mitigate their risk, support the payment efficiencies that processors bring to their merchant clients, and protect the payments system for the benefit of consumers.

We would like to hear what processes your institution has in place to monitor processors.

Photo of Deborah ShawBy Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 30, 2013 in banks and banking, consumer protection, risk management | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c019affb14827970d

Listed below are links to blogs that reference Securing All the Links in the Chain: Third-Party Payment Processors:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in